The purpose of this notice is to inform you of the type of information (including personal information) that the Integrated Care Board (ICB) holds; how that information is used; who we may share that information with; and how we keep it secure and confidential.
This privacy statement only covers NHS Suffolk and North East Essex Integrated Care Board and does not cover any other organisations or organisations that can be linked to from this site.
Who we are and what we do
NHS Suffolk and North East Essex Integrated Care Board
Severalls Business Park
Information Commissioners Office (ICO) registration number: ZB340189
Data Protection Officer – Paul Cook (IG) – email: firstname.lastname@example.org
NHS Suffolk and North East Essex Integrated Care Board are responsible for implementing the commissioning roles as set out in the Health and Care Act 2022.
The ICB processes several different types of information:
- Identifiable – containing details that identify individuals. The following are data items that are considered identifiable: name, address, NHS Number, full postcode, date of birth
- Pseudonymised information – individual-level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity
- Anonymised – about individuals but with all identifying details removed
- Aggregated – statistical information about multiple individuals that has been combined to show general trends or values without identifying individuals within the data.
We hold information centrally which is used for statistical purposes to allow us to plan the commissioning of healthcare services. We will only use Pseudonymised / anonymised data for this purpose which will mean you would not be able to be identified from that information.
Examples of this include:
- Evaluation and review of services such as checking their quality and efficiency
- Checking NHS accounts and services
- Working out what illnesses people will have in the future so that we can work with the local primary care services, community services and hospital services to make sure that patient needs are met
- Preparing performance reports about the services we commission
- Reviewing the care we commission to make sure it is of the highest standard
We will only use information that may identify you (known also as personal confidential data) in accordance with the: Data Protection Act 2018 – The Data Protection Act requires us to have a legal basis if we wish to process any personal information.
Therefore, as a commissioning organisation we do not routinely hold medical records or patient confidential data. There are some specific areas, however, because of our assigned responsibilities where we do hold and use personal information. In order to process that information, we will have met a legal requirement, in general this is where we have complied with one of the following:
- The information is necessary for facilitating direct healthcare for patients
- We have received consent from individuals to be able to use their information for a specific purpose
- There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime
- There is a legal requirement that will allow us to use or provide information (e.g. a formal court order)
- We have special permission for health purposes (granted by the Health Research Authority Section 251)
- For the health and safety of others, for example to report an infectious disease such as COVID-19, meningitis or measles
Circumstances where we might need to use personal information
The areas where we use personal information are:
- Individual Funding Requests (IFR) – a process where patients and their GPs can request special treatments not routinely funded by the NHS
- Continuing Healthcare Assessments (a package of care for those with complex medical needs)
- The Medicines Management team work closely with the GP practices to support effective prescribing
- Social Prescribing Team
- Responding to your queries, concerns or complaints
- Incident investigations
- Assessment and evaluation of safeguarding concerns for individuals
- If you are a member of our patient participation group, or have asked us to keep you up to date about our work and involved in our engagement and public consultations
- To assess the needs of the general population
- Risk stratification
- Financial validation
Information about your health and care helps us to improve your individual care, speed up diagnosis, plan your local services and research new treatments. The NHS is committed to keeping patient information safe and always being clear about how it is used.
How your data is used
Information about your individual care such as treatment and diagnoses is collected about you whenever you use health and care services. It is also used to help us and other organisations for research and planning such as research into new treatments, deciding where to put GP clinics and planning for the number of doctors and nurses in your local hospital. It is only used in this way when there is a clear legal basis to use the information to help improve health and care for you, your family and future generations.
Wherever possible we try to use data that does not identify you, but sometimes it is necessary to use your confidential patient information.
You have a choice
You do not need to do anything if you are happy about how your information is used. If you do not want your confidential patient information to be used for research and planning, you can choose to opt out securely online or through a telephone service. You can change your mind about your choice at any time.
Will choosing this opt-out affect your care and treatment?
No, choosing to opt out will not affect how information is used to support your care and treatment. You will still be invited for screening services, such as screenings for bowel cancer.
What do you need to do?
If you are happy for your confidential patient information to be used for research and planning, you do not need to do anything.
To find out more about the benefits of data sharing, how data is protected, or to make/change your opt-out choice visit www.nhs.uk/your-nhs-data-matters
All staff have contractual obligations of confidentiality, enforceable through disciplinary procedures. All staff will receive appropriate training on confidentiality of information and staff who have regular access to personal confidential data will have received additional specialist training.
We take relevant organisational and technical measures to make sure that the information we hold is secure – such as holding information in secure locations, restricting access to information to authorised personnel, protecting personal and confidential information held on equipment such as laptops with encryption and information is transferred safely and securely.
The ICB does not transfer personal confidential information overseas.
Under the Data Protection Act 2018, the ICB is required to register with the Information Commissioner’s Office detailing all purposes for which personal identifiable data is collected, held and processed.
The ICB has a legal duty to protect any information we collect from you. We use leading technologies and encryption software to safeguard your data and keep strict security standards to prevent any unauthorised access to it.
In Health and Care, all organisations apply retention schedules in accordance with the NHS Records Management Code of Practice 2021 which determines the length of time records should be kept.
We work with several other NHS and partner agencies to provide health and social care services to you. We may also share anonymised statistical information with them for the purpose of improving local services, for example understanding how conditions spread across our local area compared against other areas.
We contract with other organisations to provide a range of services to us such as IT services, Payroll and other support service. In these instances, we ensure that our partner agencies have contracts which outline that your information is processed under strict conditions and in line with the law.
We ensure our external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
Current external data processors:
Data Services for Commissioners Regional Offices (DSCRO) this is a regional secure service provided to the ICB by NHS Digital via North of England Commissioning Support Unit (NECSU).
Information may also be required to be shared for your benefit with other non-NHS organisations, from which you are also receiving care, such as social services and other providers from which we commission services. Where information sharing is required with third parties, we will not disclose any health information without your explicit consent unless it is to facilitate direct care or there are exceptional circumstances or a legal obligation such as;
- There is a risk of harm to someone or the wider community
- The prevention or detection of a serious crime
- Where we are required to do so by law
- Reporting some infectious diseases
- Prevention and detection of fraud – National Fraud Initiative (NFI)
If we are obligated to release information as described above, this will usually only be done with the approval of our Caldicott Guardian.
The ICB is party to several information sharing agreements which are drawn up to ensure information is shared in a way that complies with relevant legislation. These NHS and non-NHS organisations may include, but are not restricted to social services, education services, local authorities, police, and public health.
Under data protection law, you have rights including:
- Your right of access – You have the right to ask us for copies of your personal information.
- Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
- Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
- Your right to object to processing – You have the the right to object to the processing of your personal information in certain circumstances.
- Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please contact us at: email@example.com if you wish to make a request.
If you have any concerns about our use of your personal information, you can make a complaint to us at
Data Protection Officer (DPO)
Suffolk and North East Essex Integrated Care Board
Severalls Business Park
Or Email the DPO at: firstname.lastname@example.org
If you are not happy with the response, you can also complain to the Information Commissioners Office (ICO):
Information Commissioner’s Office
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
If our privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing the page ensures you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties.
Privacy Notice reviewed: July 2022
Information previously held by the CCGs
Information that has been held previously by Ipswich and East Suffolk, West Suffolk and North East Essex CCGs was transferred to NHS Suffolk and North East Integrated Care Board (ICB) on 1st July 2022. The ICB will become the new data controller. Any questions about the use of data (including patient data) by the ICB should be directed to email@example.com